I reviewed cups-browsed 2.0~b4-0ubuntu2 as checked into lunar. This shouldn't be considered a full audit but rather a quick gauge of maintainability. cups-browsed is a a helper daemon to browse the network for remote CUPS queues and IPP network printers and automatically create local queues pointing to them. It used to be a binary in cups-filters source and was now split into a new source. - CVE History: - CVE history is applicable to cups-filter, and it is all good. The CVEs that existed were fixed. - Build-Depends? - avahi, cups, dbus, glib2.0, openldap, pkgconf, poppler, zlib all in main - libppd, also targeted in the same MIR bug. - pre/post inst/rm scripts? - preinst: runs dh_installdeb - prerm: runs dh_installsystemd dh_installdeb - postinst: runs dh_apparmor, dh_installdeb, dh_installsystemd and accepts a configure param to setup /var/ directories and add cups-browsed user. - postrm: runs dh_apparmor dh_installdeb dh_installsystemd and accepts a purge param to remove the previously setup /var/ directories and remove the cups-browsed user. - init scripts? - NA - systemd units? - starts the daemon /usr/sbin/cups-browsed - dbus services? - NA - setuid binaries? - NA - binaries in PATH? - cups-browsed: ./usr/sbin/cups-browsed - cups-browsed-tests: ./usr/bin/run-tests.sh - sudo fragments? - NA - polkit files? - NA - udev rules? - NA - unit tests / autopkgtests? - Tests are defined in the script cups-browsed-2.0~b4/test/run-tests.sh, that seems to do a good job in creating the test setup. it gives the chance to make different types of tests. This is the script that runs in the autopkgtests. - cron jobs? - NA - Build logs: - build log is clean, there is an information about the tests being executed in the autopkgtest and not during the build, due to the need of avahi-daemon in the build chroot. - Lintian throws the following Errors and Warnings. E: cups-browsed: depends-on-obsolete-package Depends: lsb-base E: cups-browsed: maintainer-script-lacks-home-in-adduser "adduser --system --ingroup lpadmin cups-browsed" [postinst:8] W: cups-browsed: debian-news-entry-has-unknown-version 2.0~b1-0ubuntu1 [usr/share/doc/cups-browsed/NEWS.Debian.gz:1] W: cups-browsed: maintainer-script-needs-depends-on-adduser adduser (does not satisfy adduser) [postinst:8] W: cups-browsed: mismatched-override executable-in-usr-lib usr/lib/cups/backend/implicitclass [usr/share/lintian/overrides/cups-browsed:4] W: cups-browsed: non-standard-executable-perm 0744 != 0755 [usr/lib/cups/backend/implicitclass] W: cups-browsed: wrong-name-for-upstream-changelog [usr/share/doc/cups-browsed/CHANGES.md.gz] W: cups-browsed-tests: no-manual-page [usr/bin/run-tests.sh] W: cups-browsed-tests: script-with-language-extension [usr/bin/run-tests.sh] Some seems OK, like the warnings for 'cups-browsed-tests', but the others could be checked better. - Processes spawned? - No - Memory management? - malloc's and calloc's are being checked, strcpy and sprintf seems fine - some coverity reports on memory management will be forwarded to upstream, nothing concerning. - File IO? - All fine. - Logging? - All fine. - Environment variable usage? - OK, they are all used in a fixed sized variable, can't be abused - Use of privileged functions? - No - Use of cryptography / random number sources etc? - No - Use of temp files? - No - Use of networking? - uses http to connect to CUPS, seems fine. - Use of WebKit? - No - Use of PolicyKit? - NA - Any significant cppcheck results? - No - Any significant Coverity results? - Some worth checking, but they will be forwarded to upstream later. Most already exist in the current cups-filters source. - Any significant shellcheck results? - No - Any significant bandit results? - NA cups-browsed code is pretty similar with the already existing code for cups-browsed binary that lives inside cups-filter source package. This cups-browsed source package is part of the split for the version 2.x in the OpenPrinting project. Security team ACK for promoting cups-browsed to main.